Apache et ubuntu

De Banane Atomic
Aller à la navigationAller à la recherche

Configuration

Bash.svg
# activer/désactiver un site
a2ensite [server]
a2dissite [server]

sc-reload apache2

VirtualHost

/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    ServerAlias myserver
</VirtualHost>

Require

/etc/apache2/sites-available/000-default.config
<Directory /var/www/html>
    AllowOverride None

    # all requests are denied
    Require all denied

    # all requests are allowed except 192.168.1.1
    Require all granted
    Require not ip 192.168.1.1

    # authoriser seulement les IPs 192.168.0.0/24
    Require ip 192.168.0.0/24

    # all hosts in the example.org domain are allowed access; all other hosts are denied access
    Require host example.org
</Directory>

Rewrite url

Bash.svg
sudo a2enmod rewrite
sc-restart apache2
/etc/apache2/sites-available/myserver.conf
<Directory "/var/www/myserver">
    RewriteEngine       On
    RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>

HTTPS / SSL

Bash.svg
sudo a2enmod rewrite
sudo a2enmod ssl

sc-restart apache2
sudo systemctl daemon-reload
/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    Redirect   permanent / https://www.domain.fr
</VirtualHost>

<VirtualHost *:443>
    ServerName   www.domain.fr
    DocumentRoot /var/www/myserver

    # Enable SSL for this virtual host
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # Exports the standard SSL/TLS related `SSL_*' environment variables for php files
    <FilesMatch "\.php$">
        SSLOptions +StdEnvVars
    </FilesMatch>
</VirtualHost>

SSLOptions

Let's encrypt

Bash.svg
# install certbot and the apache plugin
apt install python3-certbot-apache

# dry run, certonly: obtain or renew a certificate, but do not install it
certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr

# run: obtain & install a certificate in your current webserver
certbot run --apache --domain www.domain.fr --email admin@domain.fr
/etc/apache2/sites-available/www-le-ssl.conf
# configuration créée par certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # reprend la config du site

    # ajout des certificats
    SSLCertificateFile    /etc/letsencrypt/live/www.domain.fr/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem

    # inclut la config let's encrypt
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

proxy

Bash.svg
# activer les modules
# pour http
sudo a2enmode proxy_http
# pour https
sudo a2enmode proxy_connect
# activé si l'un des 2 autres est activé
sudo a2enmode proxy
/etc/apache2/site-available/myserver.conf
<VirtualHost *:80>
    # everything under the root URL (/) should be mapped to the backend server at the given address
    ProxyPass        / http://backend_server:8080/
    # modify the response headers from backend server
    # same configuration as ProxyPass.
    ProxyPassReverse / http://backend_server:8080/

    # pass the original Host header to the backend server
    ProxyPreserveHost On
    # for reverse proxy
    ProxyRequests     Off
</VirtualHost>

<VirtualHost *:443>
    SSLProxyEngine          On
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyVerify          none
</VirtualHost>

Conf files

Bash.svg
# enable a conf
a2enconf [conf]

# disable a conf
a2disconf [conf]

# list all enables conf files
apachectl -t -D DUMP_INCLUDES

Security

/etc/apache2/conf-available/security.conf
# Hide server information like Apache and PHP versions
ServerTokens Prod

# Turn off your server's signature
ServerSignature Off

# Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Content-Type-Options: "nosniff"

# Setting this header will prevent other sites from embedding pages from this site as frames.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Frame-Options: "sameorigin"

Modules

Bash.svg
# activer un module
a2enmod [module]

# désactiver un module
a2dismod [module]

# lister les modules chargés
apachectl -M
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.

PHP

Bash.svg
# vérifier qu'un module a bien été chargé
php -m | grep <module-name>

# activer un module
phpenmod <module-name>
# redémarrer le serveur apache après ça
/etc/php/7.2/apache2/php.ini
memory_limit = 512M

PHP-FPM

Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.

Bash.svg
apt install php-fpm
sc-status php7.2-fpm

# désactiver les modules php et mpm_prefork
a2dismod php7.2
a2dismod mpm_prefork

# activer la configuration php-fpm et le module mpm_event
a2enmod proxy_fcgi setenvif
a2enconf php7.2-fpm
a2enmod mpm_event
Configuration: /etc/apache2/conf-available/php7.2-fpm.conf

create a new pool

Permet d'avoir une configuration différente par site.

/etc/php/7.2/fpm/pool.d/new.conf
[new]
listen = /run/php/php7.2-fpm-new.sock
/etc/apache2/sites-available/mysite.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.2-fpm-new.sock|fcgi://localhost"
</FilesMatch>

monitoring

/etc/php/7.2/fpm/pool.d/www.conf
pm.status_path = /status
ping.path = /ping
/etc/apache2/sites-available/000-default.conf
<FilesMatch "^ping|status$">
    SetHandler "proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost"
</FilesMatch>

# enable access to the web page
Alias /fpm /usr/share/php/7.2/fpm
<Directory /usr/share/php/7.2/fpm>
    DirectoryIndex status.html
</Directory>

HTTP/2

Utiliser php-fpm car incompatible avec mod_php.

Bash.svg
a2enmod http2
/etc/apache2/mods-available/http2.conf
# fichier à créer
<IfModule mod_http2.c>
    Protocols h2 http/1.1
</IfModule>

Dotnet core

/etc/apache2/sites-available/dotnetcore.conf
<VirtualHost *:*>
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
    ServerName dotnetcore.myserver

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/

    ErrorLog ${APACHE_LOG_DIR}dotnetcore-error.log
    CustomLog ${APACHE_LOG_DIR}dotnetcore-access.log common
</VirtualHost>
Supprimer https://localhost:5001 du fichier launchSettings.json

Droits d'accès des dossiers et fichiers

Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.

Mediawiki

/etc/apache2/sites-available/mediawiki.conf
<VirtualHost *:80>
    ServerName mediawiki.host
    DocumentRoot /var/www/mediawiki

    ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log
    CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined

    <Directory "/var/www/mediawiki">
        AllowOverride	    All
        Options             -Indexes
        ErrorDocument 403   /index.php
        RewriteEngine       On
        RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
    </Directory>
</VirtualHost>

Erreurs

SSL_ERROR_RX_RECORD_TOO_LONG

Bash.svg
# activer le site default-ssl
sudo a2ensite default-ssl.conf